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Abstract. We propose a logic for true concurrency whose formulae predicate about events 
in computations and their causal dependencies. The induced logical equivalence is hereditary 
history preserving bisimilarity, and fragments of the logic can be identified which correspond 
to other true concurrent behavioural equivalences in the literature: step, pom-set and history 
preserving bisimilarity. Standard Hennessy-Milner logic, and thus (interleaving) bisimilar- 
ity, is also recovered as a fragment. We also propose an extension of the logic with fixpoint 
operators, thus allowing to describe causal and concurrency properties of infinite computa- 
^ ' tions. We believe that this work contributes to a rational presentation of the true concurrent 

spectrum and to a deeper understanding of the relations between the involved behavioural 
equivalences. 
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1 Introduction 



In the semantics of concurrent and distributed systems, a major dichotomy opposes the interleaving 
approaches, where concurrency of actions is reduced to the non-deterministic choice among their 
^ ' possible sequentializations, to true- concurrent approaches, where concurrency is taken as a primi- 

tive notion. In both cases, on top of the operational models a number of behavioural equivalences 
have been defined by abstracting from aspects which are considered unobservable [vG01lvGG01| . 
For the interleaving world, a systematic and impressive picture is taken in the linear-time 
' branching-time spectrum |vG01) . Quite interestingly, the equivalences in the spectrum can be uni- 

, formly characterised in logical terms. Bisimilarity, the finest equivalence, corresponds to Hennessy- 

■ Milner (HM) logic: two processes are bisimilar if and only if they satisfy the same HM logic 

I formulae |HM85) . Coarser equivalences correspond to suitable fragments of HM logic. 

In the true-concurrent world, relying on models like event structures or transition systems with 
independence |WN95| . several behavioural equivalences have been defined, ranging from heredi- 
tary history preserving (hhp-) bisimilarity, to pomset and step bisimilarity. Correspondingly, a 
number of logics have been studied, but, to the best of our knowledge, a unifying logical frame- 
work encompassing the main true-concurrent equivalences is still missing. The huge amount of 
work on the topic makes it impossible to give a complete account of related approaches. Just to 
give a few references (see Section [7] for a wider discussion), |DNF90j proposes a general frame- 
s' I work encompassing a number of temporal and modal logics that characterise pomset and weak 
history preserving bisimilarities as well as interleaving bisimilarity. However, finer equivalences 
are not considered and a single unitary logic is missing. History preserving (hp-) bisimilarity has 
been characterised in automata-theoretic terms using HD-automata |MP97| or Petri nets |Vog91| . 
Concerning hhp-bisimilarity, several logics with modalities corresponding to the "retraction" or 
"backward" execution of computations have been proposed |NC95IBed91IHS85IPUll| . In absence 
of autoconcurrency they are shown to capture hhp-bisimilarity, while the general case complicates 
the picture and requires some adjustments. 

In this paper we propose a behavioural logic for concurrency and we show that it allows to 
characterise a relevant part of the truly concurrent spectrum. More specifically, the full logic £ 
is shown to capture hhp-bisimilarity, the finest equivalence in the spectrum in |vGG01] . Then 
suitable fragments of the logic are shown to scale down to the characterisation of other coarser 
equivalences, i.e., history preserving, pomset and step bisimilarity. Standard HM logic, and thus 
(interleaving) bisimilarity, is also recovered as a fragment. 

Our logic allows to predicate about events in computations together with their causal and 
independence relations. It is interpreted over prime event structures, but it could naturally be 



interpreted over any formalism with a notion of event, causality and consistency. A formula is 
evaluated in a configuration representing the current state of the computation, and it predicates 
on the possible future evolutions starting from that state. The logic is event-based in the sense that 
it contains an operator acting as a binder: it asserts the existence of an event satisfying suitable 
requirements and it bind the event to a variable so that the event can be referred later in the 
formula. In this respect, it is reminiscent of the modal analogue of independence-friendly modal 
logic as considered in |BF02) . 

Specifically, the logic contains two main operators. The formula {x,y < a z)ip declares that an 
a-labelled future event exists, which causally depends on the event bound to x, and is independent 
from the event bound to y. Such an event is bound to variable z so that it can be later referred 
to in ip. In general, x and y can be replaced by tuples of variables. A second operator allows to 
"execute" events previously bound to variables. The formula {z) ip says that the event bound to z 
is enabled in the current state, and after its execution (f holds. 

Different behavioural equivalences are induced by fragments of the logics where we suitably 
restrict the set of possible futures the formulae are able to refer to. Namely, hhp-bisimilarity, that 
is captured by the full logic, corresponds to the ability of observing the existence of a number 
of legal but (possibly) incompatible futures. Such ability is strictly related to the capability of 
observing future events without executing them (in fact the execution of an event would rule 
out all the events in conflict with it). Interestingly, the definition of hhp-bisimilarity is normally 
given in terms of backward transitions, whereas our logical characterisation has a "forward fia- 
vor" . By restricting to a fragment where future events can be observed only by executing them 
(any occurrence of the binding operator is immediately followed by a corresponding execution) , we 
get hp-bisimilarity. Pomset bisimilarity is induced by a fragment of the logic obtained by further 
restricting that for hp-bisimilarity, with the requirement that propositional connectives are used 
only on closed (sub)formulae. Roughly speaking, this fragment predicates about the possibility of 
executing pomset transitions and the closedness requirement prevents pomset transitions from be- 
ing causally linked to the events in the past. Finally, quite intuitively, step bisimilarity corresponds 
to the possibility of observing only currently enabled concurrent actions. 

The logic C in its basic form is essentially a means to understand and compare the different 
process equivalences, but its expressive power is rather weak. In fact, although events arbitrar- 
ily far in the future can be "observed" , the logic only allows to describe computations where a 
finite number of events are executed. In order to overcome this limitation and to provide a more 
powerful specification logic, well-suited for describing properties of unbounded, possibly infinite 
computations, we enrich the logic with a form of recursion. More specifically, wc extend the logic 
by adding least (and dually greatest) fixpoint operators, thus obtaining a kind of first order modal 
mu-calculus in the style of |Dam96|DFG98j and of the fixpoint extension of Independence- Friendly 
Modal Logic in jBK05| . In the resulting logic £p one can express non-trivial causal properties, 
like "any a action can be always followed by a causally related b action in at most three steps" , 
or "an a action can be always executed in parallel with a b action". Moreover, we show that, as 
it happens in the interleaving case, the addition of the fixpoint operator does not alter the logical 
equivalence hence the logical equivalence of is still hhp-bisimulation. 

We believe that this work contributes to the definition of a logical counterpart of the true con- 
current spectrum, shading further light on the relations between the involved behavioural equiva- 
lences and suggests interesting directions of investigations in the verification of true-concurrency 
properties. 

The rest of the paper is organised as follows. In Section [2] we introduce the basics of event 
structures and the concurrent equivalences we will work with in the paper. In Section[3]we present 
the syntax and semantics of our logic. In Section |4] we study the logical equivalence induced by the 
logic, proving that it coincides with hhp-bisimulation. In Section [5] we provide a characterisation 
of others concurrent equivalences in terms of fragments of our logic. In Section |6] we discuss the 
fixpoint extension of our logic. Finally, in Section [7] we discuss some related work and present 
directions of future research. 
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2 Background 



In this section we provide the basics of prime event structures which wih be used as models for our 
logic. Then we define some common behavioural concurrent equivalences which will play a basic 
role in the paper. 

2.1 Event structures 

Prime event structures |Win87) are a widely known model of concurrency. They describe the be- 
haviour of a system in terms of events and dependency relations between such events. Throughout 
the paper A denotes a fixed set of labels ranged over by a, b, c ... 

Definition 1 (prime event structure). A (A-lahelled) prime event structure ('pesJ is a tuple 
£ = {E,<,=I^,X), where E is a denumerable set of events, X : E ^ A is a labelling function and 
<, =f/= are binary relations on E, called causality and conflict respectively, such that: 

1. < is a partial order and \e~\ = {e' Cz E \ e' < e} is finite for all e G E; 

2. jj= is irrefiexive, symmetric and hereditary with respect to <, i.e., for all e,e',e" £ E, if 
e#e' < e" then e#e". 

In the following, we will assume that the components of an event structure £ are named as in 
the definition above. Subscripts carry over the components. 

Definition 2 (consistency, concurrency). Let £ he a pes. We say that e,e' € E are consistent, 
writtene^e', if ^{e4j=e'). Wesaythate and e' are concurrent, written e \\ e' , if~'{e < e'), ^(e' < e) 
and -i(e#e'). 

Causality and concurrency will be sometimes used on set of events. Given X C E and e £ E, 
by X < e we mean that for all e' £ X, e' < e. Similarly ^'iT || e, resp. X '-•e, means that for all 
e' e X, e' \ \ e, resp. e' ^ e. We write \X~\ for Ueex T'^l ■ 

The idea of (concurrent) computation is captured, in event structures, by the notion of config- 
uration. 

Definition 3 (configuration). Let £ be a pes. A (finite) configuration in £ is a (finite) pair- 
wise consistent subset of events C C E closed w.r.t. causality (i.e., \C~\ = C). The set of finite 
configurations of £ is denoted by C{£). 

Observe that the empty set of events is always a configurations, which can be intended as 
the initial state of the computation. 

Hereafter, unless explicitly stated otherwise, all configurations will be assumed to be finite. A 
pairwise consistent subset X C of events will be always seen as a pomset (partially ordered 
multiset) {X, <x, Xx), where <x and Xx are the restrictions of < and A to X. Given X,Y C E 
we will write X ^ Y if X and Y are isomorphic as pomsets. 

Definition 4 (pomset transition and step). Let £ be a pes and let C G C{£). Given % ^ X <Z 

X 

E, if C <r\ X — % and C ~ C X E C{£) we write C > C and call it a pomset transition 

X 

from C to C . When the events in X are pairwise concurrent, we say that C > C is a step. 

When X = {e} we write C > C instead of C )■ C . 

A PES £ is called image finite if for any C G C{£) and a G /l, the set of events {e E E \ 

e 

C > C A A(e) = a} is finite. All the pess considered in this paper will be assumed to be image 

finite. As it commonly happens when relating modal logics and bisimilarities, this assumption is 
crucial for getting a logical characterisation of the various bisimulation equivalences in Sections [4] 
and El based on a finitary logic. 
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2.2 Concurrent behavioural equivalences 

Behavioural equivalences which capture to some extent the concurrency feature of a system, can 
be defined on the transition system where states are configurations and transitions are pomset 
transitions. 

Definition 5 (pomset, step bisimulation). Let £i, £2 be pess. A pomset bisimulation is a 

Xi X2 

relation R C C{£i) x €{£2) such that if (Ci,C2) G R and Ci >■ C[ then C2 > C2, with 

Xi ^ X2 and (C(,C2) G R, and vice versa. We say that £1, £2 are pomset bisimilar, written 
£1 £2, if there exists a pomset bisimulation R such that (0,0) G R. 

Step bisimulation is defined analogously, replacing general pomset transitions with steps. We 
write £1 £2 when £1 and £2 are step bisimilar. 

While pomset and step bisimilarity only consider the causal structure of the current step, 
(hereditary) history preserving bisimilarities are sensible to the way in which the executed events 
depend on events in the past. In order to define history preserving bisimilarities the following 
definition is helpful. 

Definition 6 (posetal product). Given two pess £1, £2, the posetal product of their configu- 
rations, denoted C{£i)x €{£2), is defined as 

{(Ci,/,C2) : Ci G Ci£i), C2 G C{£2), f : Ci ^ C2 isomorphism} 

A subset R C C{£i)xC{£2) is called a posetal relation. We say that R is downward closed 
when for any (Ci, /, C2), (C( , /', C^) G C(fi)xC(£2), if{Ci,f,C2) C {C[J' ,€'2) pomtwise and 
iC[J',C!,)GRthen (Ci, /, C2) G i?. 

Given a function / : Xi X2 we will denote by f[xi t-^ X2] : Xi U {a:i} — > X2 U {X2} the 
function defined, for z G Xi U {xi}, by 



f[xi X2]iz) = 



X2 if Z = Xi 

f{z) otherwise 



Note that the same notation can represent an update of /, when xi G Xi, or an extension of its 
domain, otherwise. 

Definition 7 ((hereditary) history preserving bisimulation). A history preserving (hp- 

ei 

)bisimulation is a posetal relation R C C{£i) xC(£2) such that if (Ci, /, C2) G R and C > C[ 

then C2 > C'2, with (C(,/[ei ^ e2],C2) G R, and vice versa. We say that £1, £2 are his- 
tory preserving (hp-)bisimilar and write £1 ^hp £2 if there exists a hp-bisimulation R such that 
(0,0,0) G R. 

A hereditary history preserving (hhp-)bisimulation is a downward closed hp-bisimulation. The 
fact that £\, £2 are hereditary history preserving (hhp-) bisimilar is denoted £\ ^hhp £2- 

It is easy to see f [vGGOl ]) that the definition of (h)hp-bisimilarity can be equivalently given by 
using pomset transitions instead of single event transitions, i.e., by asking that if (Ci,/, C2) G R 

and C C[ then there exists C2 C'2 and (C( , /', C'2) G R, with f'^^^ = f. 



3 A logic for true concurrency 



In this section we introduce the syntax and the semantics of our logic. The formulae are interpreted 
over PESS. They predicate about events in computations and their dependencies as primitive 
concepts. 

In order to keep the notation simple, tuples of variables like xi, . . . ,Xn will be denoted by x 
and, abusing the notation, tuples will be often used as sets. 
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Definition 8 (syntELx). Let Var be a denumerable set of variables ranged over by x, y,z, . . .. The 
syntax of the logic C over the set of labels A is defined as follows, where a ranges over A: 

if ::= T I if hip I -.(/? I {x,y<az)ip \ {z) ip 

The operator {x,y < a z) acts as binder for the variable z, as clarified by the following notion of 

free variables in a formula. 

Definition 9 (free variables). The set of free variables of a formula (p, denoted fv{ip), is induc- 
tively defined by: 

fv{T) = 

fv{(piAifi2) = fv{(pi)Ufv{ifi2) 

fvi^if) =fv{v) 

fv{{x,y <3z)ip) = {fv{ip) \ {z})UxUy 

fv{{z)^) =fv{<p)U{z} 

The satisfaction of a formula ip is defined with respect to a configuration C G C{£), representing 
the state of the computation, and a function t] : Var — >■ E, called an environment, that binds free 
variables in (p to events in the future of C. In particular, the events bound to free variables in a 
formula must be both consistent with the actual state of the computation and pairwise consistent. 
Such a requirement is expressed by the following definition of legal pair. 

Definition 10 (environments, legal pairs). Let £ be a pes. We denote by Envs the set of 

environments, i.e., Envs = Vo,^ ^ E. Given a form,ula p in C, a pair (C, 77) G C{£) x Envg is 
legal for ip if C ^ ^{fv{ip)) is a set of pairwise consistent events. We denote by lp£{p>) the set of 
legal pairs for ip. 

We simply write Env and lp{(p), omitting the subscript, when the PES £ is clear from the context. 

Moreover, in order to simplify the definition of the semantics, given a configuration C, we denote 
by E[C] the residual of E after C, defined as E[C] ^{e\ee E\C A C - e}. 

Definition 11 (semantics). Let £ be a PES. The denotation of a formula (p, written {|<^|}^ G 
2C{S)xEnv defined inductively as follow: 

{]T^^ = Ci£) X Envs 

{\p1Ap2\r = {\^i\rn{\p2\V 

^{x,y <az)ip\^^ = {{C,rj) \ {C,r]) G lp{{x,y < a z) cp) and 

3e € E[C] such that 
A(e) = a A r]{x) < e A 77(y)||e 
A {C,rj[z ^ e]) G } 

{\{z) pr = mv) I c ^ c A icv) e {\pr i 



When {C,rj) € {Iv?!}^ we say that the pes £ satisfies the formula p in the configuration C and 
environment 77 : Var — >■ E, and write £, C p. For closed formulae (p, we write £ \= p), when 

Intuitively, the formula 

{x,y <az)p 

holds in {C,r]) when in the future of the configuration C there is an a-labelled event e, consistent 
with the events bound to free variables in p such that binding e to variable z, the formula p} holds. 
Such an event is required to be caused (at least) by the events already bound to variables in x, 
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and to be independent (at least) from those bound to variables in y. We stress that the event e 
might not be currently enabled; it is only required to be consistent with the current configuration, 
meaning that it could be enabled in the future of the current configuration. The formula (z) ip 
says that the event bound to z is currently enabled, hence it can be executed producing a new 
configuration which satisfies the formula ^p. To simplify the notation we write (a z) Lp for ( < a z) 

As an example, consider the PES £1 in Fig.[Tl corresponding to the CCS process a.b + c.d, where 
dotted lines represent immediate conflict and the causal order proceeds upwards along the straight 
lines. The empty conflguration satisfies the closed formula (ba;)T, i.e., £1 \= (bx)T, even if the 
b-labelled event is not immediately enabled. Also £1 \= (b a;)T A (d y)T, since there are two possible 
(incompatible) computations that starts from the empty conflguration and contain, respectively, a 
b-labelled and a d-labelled event. On the other hand, if (/9 = (a z){z) ((ba;)T A (d y))T then £iY^ if 
since after the execution of the a-labelled event, £1 reaches a configuration that does not admit 
a future containing an event labelled by d. As a further example, the formula (p above is satisfied 
by the pess £2 and £3 in Fig. [T] corresponding respectively to the process a.[b + d) and a \ (b + d), 
whereas the formula (a z){z) (z < bx)T is satisfied only by £3. 

It is worth noticing that the semantics of the binding operator does not prevent from choosing 
for z an event e that has been already bound to a different variable, i.e., the environment function 
77 needs not to be injective. This is essential to avoid the direct observation of conflicts, a capability 
which would make the logical equivalence stricter than hhp-bisimilarity (and of any reasonable 
behavioural equivalence). Consider for instance the pess associated to the hhp-cquivalent processes 
a + a and a: in order to be also logically equivalent, they both must satisfy the formula (a z)(a z')T . 
Hence for the second pes, both z and z' must be bound to the unique a-labelled event. On the 
other hand, observe that both pess falsify the formula (a 2:)(a z')(z) {z')T. In fact, z' must be 
bound to an event consistent with that associated to z (because z occurs free in (z) {z') T). Hence 
z and z' will be bound to the same event, which cannot be executed twice. 

3.1 About environments and legal pairs 

It is immediate to see that, according to Deflnition[TTl the denotation of a formula always consists 
of a set of legal pairs for the formula. 

Lemma 1 (denotations consist of legal pairs). Let £ be a pes. Then for any formula ip ^ C, 
it holds C lp£{ip) 

Proof. Straightforward induction on the structure of the formula ip. We only comment case ip = 

(z) ill. If (C, 77) G {Iv^l} then, by deflnition, if we let e — r]{z), it holds that C > C U {e} and 

(CU{e},77) e {li/"!}^- Hence by inductive hypothesis (CUje},??) G IpsW, i-e., C U {e} U 77(/?;(V')) 
is pairwise consistent. Since fv{ip) — fv{'\jj) U {z}, we have that C U ri{fv{ip)) = C U {e} U ri{fv{'ip)), 
and thus we can conclude {C,ri) G lpg{ip). □ 

Moreover, the semantics of a formula only depends on the events that the environment asso- 
ciates to the free variables of the formula. 

Lemma 2. Let £ be a pes and let C G C{E). Let p (z C and let ?7i, 772 : Var E be environments 
such that rji{x) — 772(2:) for any x G fv{f)- Then 
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In particular, (C, ?7i) G lpg{ip) if and only if (C, 772) G ^Psiv)- 

Proof. Routine induction on the structure of ip. □ 

Note that without restricting the semantics of formulae to legal pairs the logics would have 
been too powerful. Indeed, it would allow to observe conflicts through a combination of the binder 
and the execution modality. For instance, consider the pess £4 and £5 in Fig. [U corresponding to 
the processes a.b.c+a.b.c and a.b.c and take formula 93 = (a x){hy){x) ~'{y) T, saying that there are 
two events labelled by a and b such that after executing the first, the second cannot be executed. 
With the current definition neither £4 nor £5 satisfy ip, since after binding x to any a-labelled 
event e, in order to keep the denotation legal, y must be bound to the b-labelled event caused 
by e, that is executable after e. Without the restriction to legal pairs, instead, the formula would 
hold in £4, since variables x and y could be bound to confiicting events (e.g., x could be bound 
to the a-labelled event on the left and y to the b-labelled event on the right). Similarly, consider 
the formula -0 = (a x){b y)^{x,y < c z)T, saying that there are two events, labelled by a and b, 
respectively, which are not common causes for any c-labelled event. Also ip does not hold either in 
£4 nor in £5. Omitting the restriction to legal pairs, ip would be true only in £4 where x and y can 
be bound to conflicting events. This means that the logic would allow one to distinguish the pess 
corresponding to any process from that corresponding to the non-deterministic choice between 
that process and itself, which instead are equated by virtually any behavioural equivalence. 

Instead of restricting the semantics to legal pairs, one could envisage syntactic constraints 
which produce essentially the same effect, thus limiting the observation power of the logic. The 
idea is quite simple: in any formula, whenever we bind an event to a variable z, we require that 
the binder operator explicitly state the consistency of z with the free variables appearing in the 
remaining part of the formula. Specifically, for any subformula of the kind (a;, y < a z) ip, we could 
require the free variables of -0 to be a subset ofa;UyU{z}. In this way we are guaranteed that 
the event bound to z is either causally dependent or concurrent (hence consistent) with the events 
bound to the free variables of the formula. This essentially gives the same effect as restricting the 
semantics to legal pairs. Note that for any formula in C we can construct an equivalent formula 
satisfying the above constraint. The key observation is that a quantified formula {x,y < a z) ip can 
be transformed into Vx'.y' s.t. x'i±iy'=fv(i^)\(xuy}(^ Ux',yUy'<az) ip, where the fact that z must 
be consistent with any variable in fv{tp) has been made explicit by requiring any such variable, 
not already in a; U y, to be either a cause or concurrent with z, in any possible way. 

3.2 Negation and Dual operators 

Strictly speaking, the negation operator of C does not behave as classical negation. In fact, if we 
take an open formula Lp and a denotation (C, 77) which is not legal for p, then neither C p 
nor £, C 1=,, -^ip. As a concrete example, take p> = (x) (y) T. Then in the pes £1 of Fig. [U if 77 
binds X and y to the conflicting events labelled a and c, respectively, then (0,7?) is not legal for p 
and we have £1, p and fi, ^ip. 

However, since a pair (C, 77) is legal for (p if and only if it is legal for ^p, the following result 
holds true. 

Lemma 3 (negation). Let ip be a formula in C, let £ be a pes and let {C,rj) G lp{p)- Then 
£,C^,,p zff£,C^ 

In particular, when ip is closed, given any pes £, since any pair (C, 77) is legal for p, the above 
lemma implies that £ \^ ^ip iS £ ^ tp. 

Using negation we can define operators which are dual to those in the logic. As usual, pV ip 
can be defined by the formula -^{^^p A -^tp) and F (false) by ^T. Moreover, we write 

{x,y<az}p for the formula -^{{x,y < a z) ^(p). 

[z] (p for the formula ~"f?) 
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The dual of the binder has a universal flavour. In fact its semantics can be expressed as follows: 

^{x,y < a z} tfW^ = {iC,T])\ iC,7j) e lp{{x,y < a z}ip) and 

Ve e E[C] such that 
A(e) = a A i]{x) < e A ??(y)||e 
it holds (C, rj[z i-> e]) G {|<^|}^ } 

i.e., £, C {x,y < a z} when for all a-labelled events e in the future of C, and consistent with 
the events already bound to fv{(p), caused by ri{x) and concurrent with r](y), binding e to z the 
formula if holds. 

The semantics of [ ■ ] , instead, can be defined as: 

{\[z]ip\^^ = {(Cry) I (C,r,)eZp([z]^)and 

ifC C" then (C',7?) e {|(^|}^ } 

namely, £, C [ z ] if, either ?7(z) is not executable from C or it is executable and in the reached 
configuration (p holds. 

The logic C could be alternatively defined in positive form by including the dual operators and 
omitting negation. The syntax of the resulting logic, denoted would be as follows: 

::= T I F I tpAip \ tpVtp \ {x,y<az)tp \ {x,y<az}^p \ (z) tp \ [z] tp 

Negation is then encodable in by duality. Hereafter we will freely use the dual operators. 

3.3 Examples and notation 

In this subsection we provide some more examples illustrating the expressiveness of the logic. We 
start by introducing some handy notation, which will improve the readability of the formulae. 

Immediate execution. We will write 

i\x,y<az^cp for the formula {x,y < a z){z) ip 

that chooses an event e that is not in the current configuration but that is enabled by it, and 
immediately executes e. We also introduce a notation for the dual of ^x,y < az\)ip, denoted 
lx,y < az}(p and defined in the obvious way. 

Steps. We introduce a notation also to predicate the existence, resp., the immediate execution, of 
concurrent events, specifying also their dependencies. We will write 

{{x,y < a z) (g) {x' ,y' < h z')) (p for the formula {x.y < a z){x' ,y' , z < b z')(p 

{l\x,y < a z\) ^ da;', y' < h z'^)ip for the formula ( (x, y < a z)(S^ {x' , y' < h z') ){z) {z') pi 

to declare the existence, resp., the immediate execution, of two concurrent events, labelled a and b, 
which are bound to z and z', and then ip holds. In particular, the ability to perform a step consisting 
of two concurrent events labelled by a and b is simply expressed by the formula ({|a x\ ® (|b j/^)T. 
Clearly, this notation can be generalised to the quantification and the immediate execution of any 
number of concurrent events. 

An analogous notation will be used for the dual operators, i.e., we will write 

{{x,y < a z} ® {x' ,y' <h z'}) <p and {\x,y < a z\®\x' ,y' < h z'\)ip 

to say that for any pair of concurrent events, resp., executing any two concurrent events, labelled 
a and b, which are bound to z and z', then ip holds. 

Example 1 (interleaving vs. true- concurrency). Consider the PESs £e and £7 in Fig. [2] They are 
equated by interleaving equivalences and distinguished by any true-concurrent equivalence. The 
formula ipi = (|axD{|x < bj/DT = (^ax^ ® (|by^)T is true only on £7, while 1^92 = {|a2:[)(]a; < by^T 
is true only on £q. 
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b a b a b 




£■6 £-7 Eg £9 



Fig. 2. 

Wildcard operators. It is often useful to have a wildcard operator to refer to an event with any 
label. When the set of labels A is finite, we write 

{x,y < _z)(p 

to denote the formula Vae/i(a3,y < 3z)ip, and similarly for the induced operators. For instance, 
the formula (d-a^i^ €5 {|-X2^)T A -'d-yiD O (1-2/2 [> 'S' (|-2/3^T states that in the current state there is 
a step consisting of two concurrent events and this is the maximal size for a step. When the set of 
labels A is infinite the same wildcard operators are no longer expressible in the logic C. However 
they can be added to C while retaining all the results in the paper. 

Example 2 (causality and concurrency). Consider the PESs Sq and £s in Fig. [5] They are distin- 
guished by any true-concurrent equivalence, but since they share the same causal structure, in order 
to pinpoint how they differ, the logic must be able to express the presence of two concurrent events. 
Logic C can do this in a quite direct way, e.g., h dax^T® ^by\)T, while £q y= \^x\'\ ® (by^T. 
On the other hand, PESs E-j and fg, roughly speaking, exhibit the same concurrency and indeed 
they are equated by step bisimulation. However they have a different causal structure and thus 
they are distinguished by any equivalence which observes causality, e.g., pomset bisimilarity. The 
logic can take them apart by predicating directly about causality, e.g., £9 satisfies (]a x\j\x < hy\)T, 
while £7 does not. 

Example 3 (conflicting futures). Consider the following two PESs, which can be proved to be hp- 
bisimilar but not hhp-bisimilar: 

c c d 

a ' b a b ■ ;: a . 5 



Intuitively, they differ since the causes of the c-labelled and d-labelled events are in conflict in the 
first PES and independent in the second one. This is captured by the formula (p — ((a x) (8) (b y))((x < 
czi)T A {y < dz2)T), which is satisfied only by the right-most PES. Notice that the formula cp 
exploits the ability of the logic C of quantifying over events in conflict with previously bound 
events: formula ip is satisfled in the rightmost PES by binding x and y to the rightmost a-labelled 
and b-labelled events; then zi and Z2 are bound to events which are in conflict with either x or y. 
For this, the possibility of quantifying over an event without executing it is essential: the formula 
if' = ((ax^ eg) l\by^){{x < czi)TA (y < dz2)T) would be false for both PESs since the execution of 
the first two events leads to a configuration that is no further extensible. 

As a last example, consider the two CCS processes P = a\{b + c) + a\b + b\{a + c) and Q — 
a\{b + c) + b\{a + c). They contain no causal dependencies, but they exhibit a different interplay 
between concurrency and branching. Accordingly, the corresponding PESs can be proved to be 
hp-bisimilar but not hhp-bisimilar. Intuitively, this difference comes from the fact that only the 
process P includes two concurrent events a and b such that, independently from their order 
of execution, no c-labelled event will be enabled. Such a difference can be expressed in C by the 
formula ((a x) ® (b y))(-i(x < c z)TA^{y < c z')T), which is satisfied only by the pes corresponding 
to P. 
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4 A logical characterisation of hhp-bisimilarity 

We next study the logical equivalence induced by C. We have already argued that no formula in 
C distinguishes the pess a and a#a, hence the logical equivalence induced by C is surely coarser 
than isomorphism. In this section we will show that it coincides with hhp-bisimilarity. 

Since later we will also identify suitable fragments of C corresponding to coarser equivalences, 
we define logical equivalence for fragments of C. 

Definition 12 (logical equivalence). Let C he a fragment of C. We say that two pes £1,82 
are logically equivalent in C , written £1 =£/ £2 when they satisfy the same closed formulae. 

We first prove that two pes's satisfying the same formulae in C are hhp-bisimilar. 

Proposition 1. Let £1 and £2 be pess such that £1 =c £27 then £1 ^hhp £2- 

Proof. We first introduce some notation. Let us fix an injective environment rji : Ei ^ Var. Then 
given an event ei G we write Xei to denote the only variable such that 771 (a;^) = ei- Similarly, 
for a configuration Ci = {ei, . . . , Cn} we denote by Xc^ the set of variables {xei , . • . , Xe^}- Observe 
that (0, rji) is a legal pair for any formula ip & C such that fv{(p) C Xc. 
Consider the posetal relation R C C{£i)xC{£2) defined by: 

R - { (Ci, /, C2) I e £. fv{^) C Xc, {£1,9 hm ^ ^ff ^2,9 ^) } (1) 

where, given / : Ci — ?> C2 isomorphism of pomsets, hy f or]i we denote an environment such that 
/ o 771(3;:) = f{r]i{x)) for X e Xc, and / o ■qi{x) has any value, otherwise. Note that this does not 
introduce ambiguities, since, by Lemma O the semantics of ip only depends on the value of the 
environment on fv{'f) and fv{if) C Xc, by construction. 

Observe that, since by hypothesis £1 =c £2, we have that (0,0,0) G R. Hence in order to 
conclude it is sufficient to show that i? is a hhp-bisimulation. 

— i? is downward closed 

Take (Ci, /, C2) £ R and consider {C[, f , C2) C (Ci, /, C2) pointwise. We have to show that 

(C1,/',C^) ei?. 

Let tp be any formula such that fv{^) C Xc[. Since C[ C Ci, clearly fv{tp) C Xc, and thus, 
since (Ci, /, C2) G R, by definition of i? ([Ij, we have that 

£i,0hi)iV' iff ^^2,0 h/o7?i V', 

Moreover, since /u(-0) C Xc[, »7i(^c;) = C[ and /' = /|c|, we have that (/ o iu)\fv(xi,) = 
if ° Vi)\fv{ti>) and thus by LemmajU 

f2,0h/o»)iV' iff ^2,0 h/'o»;i V' 

Summing up, for any -0 such that fv{ip) C Xc" , it holds £i,9 ip iff ^2,0 ^f'ori, V'- 
Therefore (C(, /', C0 e R, as desired. 

— i? is a hp-bisimulation 

e 

We have to show that given (Ci,/, C2) G R, if Ci > C( then there exists a transition 

g 

C2 > C'2 such that f ~ f[e ^ g] : C( — J> is an isomorphism of pomsets (hence in 

particular Ai(e) = \2{g)) and (C(,/',C2) G R. 

We proceed by contradiction. Since all pess are assumed to be image finite, there are finitely 

many transitions C2 > i G {1, . . . , n}, such that C'l ~ C\ (as pomsets). By contradic- 
tion assume that (CJ, f^ .C^) ^ R for any i G {1, . . . , n}. Hence, by definition of i? ((!]), there 
exists a formula ip^ such that 

£i,(d^,„^' and £2,(l>^f..n,r 
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where fv{ip'^) C Xc[ — U {x^} and = f[e i-^ g']. Observe that it could cither be that 
^ii ^1)1 "0* a-nd ^2, H/'ojji V'*: but we can reduce to the case above by taking the negation 
of '0' . Then consider the formula 

ip:^ix,y<a Xe)i{Xc,) {xe) T A A ... A V") 

where a = Ai(e) and the x,y C are such that r]i{x) is the set of causes of e in Ci and 
?7i(y) is the set of events in Ci which are concurrent with e. Note that 

fvi^p) = [Xcue U Uli/«(V^O) \ i^e} UxUyCXc, 
Moreover, it is easy to see that £i, ip and £2, ^/oj;i ^, contradicting the hypotheses. 

g 

The fact that also the converse holds, i.e., if C2 > C2 then there exists a transition 

e 

Ci > C'l such that f — f[e ^ g] : C[ C'2 is an isomorphism of pomsets and 

{C[, /', C2) G i?, can be proved analogously. □ 

In order to prove the converse, i.e., the fact that hhp-bisimilar pess satisfy the same C formulae, 
we first adapt a lemma from [Bed91lvGG01| which will be useful in the sequel. 

Lemma 4 (hhp-bisimilarity as a pes). Let Ei, 82 he pess such that £1 ^hhp £2 and let R be 

a hhp-bisimulation. Then there exists a PES £fj = {Eji, <j^, jj=R^ Xr) such that for i G {1, 2} 

£i ^hhp £b. 

- there are surjective maps /|j : En Ei such that { (C*, /|j|c, /if CC*)) | C G C{£ii)} is a 
hhp-bisimulation. 

Additionally, each pj^ preserves labels, < and \\, maps configurations to configurations and it is 
injective on pairwise consistent sets of events. 

Proof (Sketch, from IBedQllvGGOll ). We just recall the definition of £r = {Er, <r, ^r, Xr): 

- ER^{{eiJ,e2)\{\ei],f, [es]) G i?}, 

- (ei,/,e2)<fl (e'i,/',e;,)if/C/', 

- f#Rf if there exists no {C,g,D) G R such that ([eil,/, [esD, ([e'll , /', [e^D C {C,g,D) 
pointwise, 

- Afl(ei,/, 62) = Ai(ei). 

The maps : Er Ei and : Er E2 are just the projections on the first and third 
components, respectively. □ 

Proposition 2. Let £1 and £2 be PESs such that £1 ^hhp £2- Then £1 =c £2- 

Proof. Let i? be a hhp-bisimulation relating £1 and £2. By Lemma SI it is not restrictive to assume 
that R — { (Ci, , /(Ci)) }, where / : £'1 -> i?2 is a surjective map satisfying the conditions 
in the statement of the lemma. Then it is sufficient to prove that for any formula ip d C, for any 
iCi,r,) G Ipiip) 

£l,Ci \^r, V iff f2,/(Cl) h/o») "yf 

Indeed, since (0, 0) is legal for any closed formula, it implies in particular that £1 and £2 satisfy 
the same closed formulae, i.e., £1 ^hhp £2 as desired. 

First of all note that (Ci, 77) is a legal pair for tp iff (/(Ci), f o rf) is a legal pair for (p since / 
preserves consistency (as it preserves causality and concurrency). 

We proceed by induction on the formula (p: 

- ip ^T, ip ^ pi Ap2, p ^ -^pi 
Immediate. 
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Assume that £i,Ci \=ri ip. Hence, by definition of the semantics, there exists an event e G 
Ei[Ci], such that Ai(e) — a, r]{x) < e, r]{y) \\ e and 

(2) 

where r]' = ri[z i-^ e\. 

By ^ and Lemma[Tl {Ci,r]') is legal for ip. Hence by inductive hypothesis f2,/(Ci) H/or;' "01 
with f o -q' = {f o vi)[z /(e)]. 

Since, by Lemma HI / is injective on pairwise consistent sets of events, /(e) G E2[f{Ci)]. 
Additionally, again by Lemma HI since / preserves labels, < and || we have that A2(/(e)) = 
Ai(e) = a and f{i]{x)) < /(e), f{ri{y)) \\ /(e). Therefore we conclude that, as desired 

f2,/(Cl) h/or, 



Vice versa, let £2,f{Ci) ^fojj (p- Therefore there exists an event g G i?2[/(C'i)], such that 
^2(3) = a, fir]{x)) < g and /(ry(y)) II5 and f2,/(Ci) V, where 772 = (f or])[z ^ g]. 
From the fact that £2, f{Ci) H/or; and LemmafU we have that (/(Ci), f o rf) is legal for (^9. 
This implies, in particular, that that D2 = f{Ci) U \ f {r]{x U y))'\ is a configuration. Notice 
that also D2^g, hence if we let X2 = [5] \ D2 we have 

^2 > D'2 (3) 

Now, since by hypothesis (Ci, 77) is legal for and since a; U y C fv{(p), we know that Ci U 
77(0; Uy) is pairwise consistent. It follows that Di — CiU \ri{x U y))] is a configuration. Since, 
by LemmalU / is injective on pairwise consistent sets and preserves causality, \f{ri{x U y))] — 
f{\ri{x U y)]) and thus D2 = f{Di), which means that {Di, f\Dn f{Di)) G R. Therefore, since 
i? is a hhp-bisimulation, there is a pomset transition simulating ([3]): 

Di ^ D[ (4) 

such that {D'l, f^D'^, D'2) G R. In particular, since //jj is an isomorphism of pomsets between 
D[ and D2, if we take the (unique) e G Xi such that /(e) = (7, it holds that Ai(e) — \2{g) = a, 
r]{x) < e and 77(y) || e. Now, if we let 77' — r][z e], since / o 77' = 772 and (6*1,77') G ?p(¥') by 
construction, we can use the inductive hypothesis, together with £2, /(Ci) |=,,2 ^j, to conclude 
£i,Ci ^. Hence 

<fi^ {x)tl; 

Assume that £1 , Ci 93, where (Ci ,ri)Glp {ip) . By definition of the semantics this means 
that 

»)(x) 

Ci > C[ 

and £"1, C[ 1=^ 7/;. 

Since i? is a hhp-bisimulation, we have that 

f{Ci) f{C[) 
and, by inductive hypothesis, £2,f{C'i) ^/or; t/". This implies that, as desired 

£2,f{Cl) ^/o,, (p 



Vice versa, let £2,f{Ci) ^forj <p, where (6*1,77) is legal for ip. By definition of the semantics 
this means that 
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no 

and £2, C2 \=fo7j V"- 

Since (Ci, 77) is legal for ip, we know that ri(x) is consistent with Ci. Moreover, Ci U {f]{x)} is 
causally closed, otherwise, since / preserves causality and it is injective on pairwise consistent 
sets, also /(Ci U r]{x)) = C2 U f{rj{x)) = C2 would not be causally closed. 
Hence C( = Ci U {ti{x)} is a configuration and thus 

— U c[ 

and clearly f{C[) — Cj. Moreover, by inductive hypothesis, fi,C( V- Hence, as desired 

□ 

Propositions [2] and [1] together say that hhp-bisimilarity is the logical equivalence of C 
Theorem 1 (hhp-bisimilarity). Let £1 and £2 be pess. Then £1 ^hhp £2 iff £1 =c £i- 



5 Prom Hennessy-Milner logic to HP-logic 

Hhp-bisimilarity is the finest equivalence in the spectrum of true concurrent equivalences proposed 
in |vGG01| . Interestingly enough, coarser equivalences such as step, pomset and hp-bisimilarity, 
can be captured by suitable fragments of £ summarised in Fig. [3J which can be viewed as the 
logical counterpart of the true concurrent spectrum. 

Note that, in each of these fragments after predicating the existence of an event we must 
execute it. As a consequence, differently from what happens in the full logic, in the fragments it 
is impossible to refer to events in conflict with already observed events. Intuitively, this says that 
behavioural equivalences up to hp-bisimilarity observe events only by executing them. Hence they 
cannot fully capture the interplay between concurrency and branching, which is indeed distinctive 
of hhp-equivalence. 

HM Logic Lhm f> ::= l\2Lx\ip \ Lp/\ip \ ^(/p | T 

Step Logic Cs if (dai x4 (g) ■ ■ ■ (g) ^an Xn^) \ ip A ip \ ^ip \ T 

Pomset Logic £p p ::— <\x,y<az^p \ -^p | (/p A 95 | T 

where -1, A are used only on closed formulae. 

HP Logic Chp p /lx,y<az\jp \ -^p \ pAp \ T 



Fig. 3. Fragments of C corresponding to various behavioural equivalences 



5.1 Hennessy-Milner Logic 

A first simple observation is that standard Hennessy-Milner logic can be recovered as the fragment 
of £ where only the derived modality {|aa;^(/9 (with no references to causally dependent /concurrent 
events) is allowed. In words, whenever we state the existence of an enabled event we are forced to 
execute it. Moreover, since no dependencies can be expressed, the bound variable x is irrelevant. 
The induced logical equivalence is thus bisimilarity ^HM85j (recall that we consider only image 
finite PES's). 
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5.2 Step logic 



A fragment Ls corresponding to step bisimilarity naturally arises as a generalisation of HM logic 
where we can refer to sets of concurrently enabled events. More precisely, as shown in Fig. [3l 
Us is the fragment of L where only the derived modality (|ai x\\i® ■ ■ (|an Xn\i is used, allowing 
to predicate on the possibility of performing a parallel step, but without any reference to causal 
dependencies. Note that all formulae in Lg are closed, and thus environments are irrelevant in 
their semantics (as well as the names of the bound variables). Given a pes f , a configuration C 
and a formula we will write f , C |= (/? when f , C '-p for some t]. 

As an example, consider the two pess and £7 in Fig. [51 They are bisimilar but not step bisim- 
ilar since only £7 can execute the step consisting of a and b; accordingly, the formula ^a ^ {|b ^ 
in £s is true only on £7. 

Lemma 5. Let £1 and £2 be pess and let Ci G C{£i), i £ {1,2} be configurations. Then there 
exists a step bisimulation R such that (Ci, C2) G R iff for any ip G Cs, £1, Ci \= p £2, C2 |= 

Proof. Assume that (Ci, C2) G i? for some step bisimulation R. The proof that for all ip G Cg, 
£i,Ci \= (fi iS £2,02 \= ^ can be carried out by induction on the structure of (p. 

We only show the non-trivial case where ip = (^aiXi^® •••(>5(|ana;„[))'0. Assume that £i,Ci \= 

{ei ,...,e„} 

ip. Hence there is a step Ci > C( where Ai(ei) — a^ for i G {1, . . . , n} and 

£i,C[^i>. (5) 
Since (Ci,C2) G R, also C2 can perform an analogous step 

{e'i,...,e'„} 
C2 > C'2 

with A2(e-) = a; for i G and (C(,C2) G R. Additionally, by (O, using the induction 

hypothesis, we have that £2, C2 \= "0. Therefore we conclude £2, C2 |= ^p. 



(<^) We prove that the relation 

R - {(Ci, C2) I V./. G (fi, Ci h iff ^2, C2 h V)} 

is a step bisimulation. 

X 

We proceed by contradiction. Let (Ci , C2) G i?, let Ci >■ C( , where X is a step, and assume 

Y 

that for all Y such that C2 > C2 and AT F as pomsets it does not hold that {C[, Cj) G i?. 

Hence there exists a formula ?A such that £1, C( ^ V' a-nd ^2, C2 '/'• 

Since our pess are assumed to be image finite, the number of possible steps C2 > C2, with 

A ~ y is finite. Let C2 > C2, for i G {1, . . . , fc}, be such steps and let be the formulae 

such that £i,C[ \= ■0' and £2, C2 ^ If '^^ define 

= (^aia;i^Cg) ---^ila^xj) (V/ A . . . A V'^) 

we have that £i,Ci \^ tp while £2, C'2 ^ V'l which gives the desired contradiction. □ 

Now it is immediate to conclude that the following holds. 
Theorem 2 (step bisimilarity). Let £1 and £2 be pess. Then £1 £2 iff £1 =Cs ^2- 
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5.3 Pomset logic 

The logic Cp for pomset bisimilarity in Fig. |3] consists of a fragment of C where, still an event 
must be immediately executed when quantified, but it is possible to refer to dependencies between 
events. However, propositional connectives (negation and conjunction) can be used only on closed 
formulae. 

Roughly speaking, in Cp closed subformulae characterise the execution of a pomset. Then, the 
requirement that the propositional operators are used only on closed subformulae prevents pomset 
transitions from being causally linked to the events in the past. These ideas are formalised by the 
results below. 

First observe that a closed formula in Cp has always the shape 

{|a;i,y7 < aiZiD . . . (]a;„,y;7 < anZ„D V 

where, if we let Z = {zi, . . . , z„}, then Xi,y^ Q Z for any i e {1, . . . , n}. We next prove that the 
prefix (\xi,y^ < aiZiD... (\xn,y^^ < ap intuitively corresponds to the execution of a class of 
pomsets (not a single one, since the relation between some events might be not specified). More 
precisely, in the situation above let Pom{^Xi,'y]^ < aizi^...{|a;„,y^ < apZn^) denote the class 
of pomsets {Z, <, A) such that Z — {zi, . . . , Zn} and for i G {1, . . . , n}, X{zi) = ai and given any 

ze z 

— z Xi implies z < Zi, 

— z G t/j implies z ^ Zi. 

With this definition it is immediate to show that the following result holds. 

Lemma 6. Let tp = {|a;i, < ai ziD . . . i^Xmy^ < an ZnD ip be a closed formula in Cp. Then 

X 

£, C \=ri f iff C > C where X ~ {ei, . . . , e„} is a pomset s.t. X ^ {Z, <, A) 

for some {Z, <, A) £ Pom{(\xi,li[ < ai ziD . . . ^a;,i,y;r < Sn ^n^) 
and £, C \=rii ^, with rj' = ri[zi i—> ei, . . . , z„ e„] 

Proof. Routine induction on n. □ 

Next we observe that, in particular, the execution of a single pomset can be exactly charac- 
terised by a corresponding formula in Cp. 

Definition 13 (pomsets as formulae in Cp). Let Px — {{xi, . . . ,Xn}, <p^, Xp^) be a labelled 
poset, whose elements {xi, . . . ,x„} C Var are variables ordered by <p^. Given a formula ip £ Cp, 
we denote by ([Px\i'f the formula inductively defined as follows. If Px is empty then ^Px^p — f- 
If Px ^ v'x^ i^}' where x is maximal with respect to <p^, if we let y = {x' G \ x' <p^ x}, 
Z'^P'xXV' "'^d Xpjx) = a, then /\px\/ip = (\p'xHy,z < ax\)ip. 

The fact that pomset formulae as defined above have exactly the intended semantics immedi- 
ately follows from Lemma [51 

Lemma 7 (pomsets in Cp). Let £ be a pes and let C £ C{£) be a configuration. Given a labelled 
poset Px = {{xi,. . . ,a;„}, <p^,XpJ, then 

X 

£, C i\px\) (fi iff C > C where X = {ei, . . . , e„} is a pomset s.t. X ^ px 

and £, C ip, with r( = ri\x\ i— ;> ei, . . . , x„ i— ?• e„] 

Proof. Just observe that Pom{i\px^) — {Px}- Then the result is an instance of Lemma |6l □ 

Lemma 8. Let £i and £2 be pess and let Ci £ C{£i), i £ {1,2}, be configurations. Then there 
exists a pomset bisimulation R such that (Ci, C2) £ R iff for any ip £ Cp, p closed, £1, Ci |=0 </? O 
£2,02 ^0 (fi. 
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Proof. (=>) Let us prove that if (Ci,C2) £ R, then for all closed formulae ip £ >Cp, we have that 

^•1, C'l 1=0 'i^ iff ^2,^2 \=$ f. 

The proof proceeds by induction on the structure of the formula ip. The cases in which (p is a 
conjunction, negation or true are trivial. In the remaining cases ip is a closed formula of the shape 

{|a;i,y7< aiZiD...^a;„,y;7< anZ„D V- (6) 

where -0 is closed. 

X 

Assume that f i, Ci \=% p). Then, by LemmalHl C\ > C'l where X (Z, <, A) for some pom- 
set (Z, <, A) e Pom{i\xi,y^ < ai zi^ . . . {|a;„,'y;r < a„ z„[)). Additionally £i,C[ h0[^iH^ei,...,z„H^e„] 
tp, and thus £i,C[ \=$ ip, by Lemma [21 since is closed. 

Since (Ci,C2) £ R and i? is a pomset bisimulation, there is a pomset Y = {gi, . . . , f/„}, 
isomorphic to X, and thus to (Z, <, A) such that 

C2 (7) 

and (C(,C2) G -R. By inductive hypothesis, £2,(^2 H0 V"- Again, since ip is closed, by Lemma [5] 
it also holds £2,(^2 l=0[ziH^gi....,z„i~>g„] V"- This fact, together with ([7]), allows us to conclude, by 
Lemma m that f2,C2 'Pj desired. 

(<^) The proof is analogous to that of LemmaO i.e., we show that the relation 
R = {(Ci, C2) I V(y3 e Cp, (p closed, fi, Ci ^0 ip iff £2, (^2 h0 v} 
is a pomset bisimulation. 

X 

We proceed by contradiction. Let (Ci,C2) G i?, let Ci s> C(, where X is a pomset, and 

Y 

assume that for all Y such that C2 > C2 and X ^ Y there exists a closed formula such 

that £i,C[ h and £2, ^ V'- 

Since our pess are assumed to be image finite, there are finitely many such pomset transitions 
. . ... 

C2 > C2, for i e {1, . . . , fc}. Let be the formulae such that £i,C[ |= V' and £2, C| ^ V-"' - If 

Px is a labelled pomset of variables, such that px ^ X , let us define: 

4' = ^Px\) A...AV'=) 

Then by Lemma [7j we have that £i,Ci ^ ■0 while £2, C2 ^ "0, which gives the desired contradic- 
tion. □ 

The desired result now immediately follows. 

Theorem 3 (pomset bisimilarity). Let £1 and £2 be pess. Then £\ £2 iff £1 =Cp £2- 

As an example, consider the two pess £7 and £g in Fig. [2] They are step bisimilar but not pomset 
bisimilar since only the second one can execute the pomset Pa<b = ({a,b},a < b). Accordingly, 
the formula (p = {|pa<b^T = {]a a;^{|a; < bt/^T in Cp, is satisfied only by £g. 



5.4 History preserving logic 

The fragment C^p corresponding to hp-bisimilarity is essentially the same as for pomset logic, 
where we relax the condition asking that the propositional connectives are applied only to closed 
formulae. Intuitively, in this way a formula tp S Chp, besides expressing the possibility of executing 
a pomset Px, also predicates about its dependencies with previously executed events (bound to 
the free variables of (p). 

The following two pess can be proved to be pomset equivalent but not hp-equivalent: 

&. b 

a b a a b 
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Intuitively, they allow the same pomset transitions, but they have a different "causal branch- 
ing" . Indeed, only in the left-most PESs after the execution of an a-labelled event we can choose 
between an independent and a dependent b-labelled event. In the rightmost PES the choice is 
already taken with the execution of a. Formally, the formula i\ax\){(\x < hy'^ A{(\x < bz^) in Chp 
is true only on the left-most PES. 

We start with the following lemma, whose proof is immediate, that makes explicit the semantics 
of the induced operator ^x,y < a z\). 

Lemma 9 (events with their history in the logic). Given a pes C G C{£), (p £ Chp and 
(C, 77) a legal pair for ip: 

e 

£ C \^ (\x y < a (fi iff there is an event e such that C > C , A(e) — a, 

^ ' ^(^j) < e, ri[y) \ \ e and C |=,,' (p, where r( = r]\z e]. 

Lemma 10. Let £\ and £2 be PESs, let Ci G C{£i), for i g {1,2}, be configurations, and let 
/ : Ci — > C2 be an isomorphism of pomsets. Then the following are equivalent: 

1. there is a hp-bisimulation R such that {C'l, /, C2) G R 

2. for any ip £ Chp and rj such that r]{fv{ip)) C Ci, it holds fi, Ci ip -i^ £2, C2 H/or; P- 

Proof. (1 2) Let i? be a hp-bisimulation and take (Ci,/, C2) G R. Let us show that for any 
<yj G Chp and (6*1,77) such that ri{fv{p)) C Ci. 

£i,Ci \=r^ p iff £2,02 h/oi) V- 

We proceed by induction on the structure of the formula ip. We focus on the only non-trivial case 
where p — (|a;, y < az\ ip. If £1, Ci ip, then by Lcmma|9]there is an event e G i?i[Ci] such that 

Ci C[ (8) 

with Ai(e) = a, r]{x) < e, r]{y) \ \ e and £i,C'i ^p where 77' = 7][z e]. 
Since (Ci, /, C2) G R, there exists an event g G E2 such that 

C2 (9) 

and (C(,/', C2) G R, with /' = f[e 1-^ g]. Clearly, g G £'2[C'2] and, since /' is an isomorphism of 
configurations, we have that X2{g) = a, f{ri{x)) < g and f{ri{y)) \ \ g. 

Note that Ti'{fv{ip)) C r^'{fv\p) U {z}) = ri{fv{p>)) U {e} C Ci U {e} = C[. Thus, we can use 
the induction hypothesis to deduce that £2, C'2 H/'o??' V'- Therefore, by Lemma[9l we can conclude 

The proof that f 2 , C'2 ^ fo-q P implies £1 , Ci is analogous and thus omitted. 

(1 2) As in Proposition [1] we fix an injective environment 771 : Var — > Ei. Moreover, given an 
event ei G E'l, we write Xe^ to denote the only variable such that 771 (xei) = ei. Similarly, for 
a configuration Ci = {ei, . . . , e„} we denote by Xci the set of variables {a;^, . . . , Xe^}. Observe 
that (Ci,7;i) is a legal pair for any formula (/? G £ such that fv{p) C Xc^. 
In order to conclude, we show that the posetal relation 

R = {(Ci, /, C2) I yp G £/ip. /«((/?) C X(7i £^1, Ci 1=^1 1^ iff ^2, C'2 h/o»?i 

is a hp-bisimulation. Note that as in Proposition [1] with a slight abuse of notation, we denote 
by / o 771 any environment 772 such that 7/2(2;) — f{rii{x)) for x G Xci and 7/2(2;) has any value, 
otherwise. 

We proceed by contradiction: assume that (Ci,/, C2) G i?, Ci > C[ and for all 62 such 

that C2 !> C2 with C'l ^ C2 as pomsets, we have {C[, f[ei ^-^ 62], C'2) ^ -R, i.e., there exists a 

formula 7/;, with fv(ijj) C X^-j, such that fi, 7/; and £2, C'2 t^/'ojji t/'. 

Since all PESs are assumed to be image finite, there are finitely many transitions 
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Cs ^ C^, I e {!,..., fc} 

such that /* = /[ei M> : C{ — is an isomorphism of pomsets. Let V*, for i e {1, . . . ,k} be 
the formulae such that 

^i-C*! V'* and £2,C| t^/.o,,! -0* 
where fv{ip^) C = U {a;ei}- Now consider the formula 

V?= ^a;,y <aa;eJ(V'^A...AV''') 

where a — Ai(ei) and the x,y Xc^ are such that r;i(a;) is the set of causes of ei in Ci and 

is the set of events in Ci which are concurrent with ei. Note that fv{ip) = (Ui=i /'^(V'i)) \ {^^ei} U 

a; U y C 

Then by Lemma [5] we have that £i,Ci \=rii ^ and £2,(^2 ^/or;i t^s, which gives the desired 
contradiction. □ 

It is worth observing that the hp-bisimulation built in the previous proof relates two configu- 
rations Ci and C2 when they satisfy the same formulae, whereas the hhp-bisimulation built in the 
proof of Theorem [1] relates Ci and C2 when the same formulae are satisfied by the empty config- 
uration (in an environment that binds free variables to Ci, resp. C2). Intuitively, this corresponds 
to the fact that for hp-bisimilarity one has to check only the future of a configuration, while for 
hhp-bisimilarity also alternative evolutions (hence evolutions from the past) of a configuration 
must be considered. 

Theorem 4 (hp-bisimilarity). Let £1 and £2 be pess. Then £\ £2 ijf £1 =Chp ^2- 

Proof. (=>) Let £1 ^hp £2- Then there is an hp-bisimulation R such that (0,0,0) e R. For all 
(p e £hp, if 'P is closed, i.e., fv{(p) = 0, as an instance of Lemma [TOl we obtaind £i,0 [=0 f iff 
£21 1=0 P- This amounts to £1 \= ip iff £2 \= ^p, i.e., £1 =Chp ^2, as desired. 

(<^) Let £1 ^Chp ^2- Then, for any ip e Chp closed £1 \^ ip iS £2 |= ^- Since Lp is closed, 
satisfaction does not depend on the environment, £1, |=^ tp iS £2,^ \=ri ^ hence for any 77 G Envsi ■ 
Therefore, we can apply Lemma (TU] to conclude that there exists a hp-bisimulation R such that 
(0, 0, 0) e i? and thus £1 ^hp £2- □ 

6 A logic with recursion: C^^, 

The logic L discussed in the previous section is theoretically interesting as it allows to characterise 
logically the main truly concurrent equivalences. However, as a specification language, it has a 
limited expressiveness: even if one can "observe" events arbitrarily far in the future, a single 
formula in £ only describes properties where a finite number of events are executed. In order to 
overcome this limitation, in this section we study a fixpoint extension of the logic, where the use 
of recursion allows to express causal and concurrency properties of infinite computations. The 
resulting logic, denoted is a kind of first-order mu-calculus. 

Let be a set of abstract propositions, ranged over by X, y, ... , that are intended to represent 
formulae possibly containing (unnamed) free event variables. Each abstract proposition has an 
arity ar{X), which indicates the number of free event variables in X. An abstract proposition X 
can be turn into a formula by specifying a name for its free variables. For x such that \x\ — ar{X), 
we write X{x) to indicate abstract proposition X whose free event variables are named x. We call 
X{x) a proposition and denote by X the set of all propositions. 

Definition 14 (syntax). Let Var be a denumerable set of event variables and let X be a set of 

propositions, as explained above. The syntax of Cf^ over the set of labels A is defined as follows: 

ip ::= X{x) \ T \ ip A (p \ ^(p \ {x,y<az)(p \ (z) (p \ ^X{x).ip 
where for formula fiX(x).ip, as usual, X must occur positively in ip and additionally, fv{ip) = x. 
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Definition 15 (free variables). The free variables of a formula ip in Cf^ are given as in Defi- 
nition\^ with the addition of the following clauses: 

fv{X{x)) = X and fv {fiX (x) .ip) = x. 

In the following we will often use the set of free variables of a formula as a tuple. Thus it is 
convenient to assume that /«(•) returns a fixed tuple of variables. Note that the fact that variables 
X are free in X{x) and ^X{x).if is reflected in the definition of free variable substitution. For 
instance X[x)[y/x\ = X{y) and {^jlX {x) .ip)[y / x] = iiX{y).{<p[y / x]). 

A least fixpoint operator /i has been added. In a recursive formula iJ,X(x).ip the abstract propo- 
sition X can occur recursively in ip, possibly with a different tuple of variables which intuitively 
are to be used in the next iteration. As usual a greatest fixpoint operator can be encoded, by 
duality, as 

vX{x).ip = ^{ijlX {x) .^(p) 

where (p is the formula obtained replacing any occurrence of X in p with -iX (in order to keep 
the positivity of the occurrences of X). 

As an example, the existence of a run consisting of an infinite causal chain of a-actions can be 
expressed by the following formula: 

\^x^ {vX{x).\x<^y^X{y)) 

The infinite causal chain is obtained by "passing" the event bound to y by the current execution to 
the next iteration so that it can be used as a cause in the corresponding execution. The execution 
outside the recursive formula binds x to an a-labelled event which will be the first in the causal 
chain. 

In a fixpoint formula iiX{x).(p, the fixpoint operator binds all the free occurrences of the 
abstract proposition X in ip. This leads to the following notion of free abstract proposition. 

Definition 16 (free propositions, substitution). The set of free propositions in a formula (p 
in Cfj,, denoted fp{p), is defined inductively by 

fp{T) = fp{X{x)) = {X} 

fp{ipi A (p2) = fp{(pi) U fp{ip2) 

fphv) =fp{{x,y < az)(p) ^fp{{z)ip) =fp{(p) 
fpifiX{x).^)^fpi^)\{X} 

Let ip be a formula in C^. For an abstract proposition X and formula ip such that fv{ijj) = x. 
\x\ = ar{X), we denote by ip[ip/X] the formula obtained from ip by replacing any free occurrence 
of X{y) by tl)[y/x\. 

A formula ip G /I^ is called closed when both fv[ip) and fp{p) are empty. 

Let us now move to the definition of the semantics. Legal pairs for a formula are defined exactly 
as in Definition [TUl For instance the pair (C, 77) is legal for the formula X{x) if the set C U ri{x) 
is pairwise consistent. On the other hand, in addition to the (event variable) environment, the 
semantics of also requires an interpretation for the propositions, mapping each proposition to 
a set of legal pairs. 

Definition 17 (proposition environments). Let E be a pes. A proposition environment is a 
function TT : X 2'^(^)^-®™^ such that: 

1. n{X{x)) C lp{X{x)) for any X{x) E X, and 

2. if {C,ri) G tt{X{x)) andri'(y) = rj{x) pointwise, then [C^if) E TT{X{y)). 
We denote by PEnv£ the set of proposition environments, ranged over by tt. 
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The first condition requires that the denotation for X{x) only consists of legal pairs for X{x). 
The second condition requires that the semantics of a proposition only depends on the events that 
the environment associates to its free variables and that it does not depends on the naming of the 
variables. Such a condition allows to extend Lemma [2] to the logic with recursion. 

Updates of a proposition environment must be performed in order to maintain the validity 
of properties 1 and 2 above. For tt e PEnvs and S C lp{X{x)), we write ■k[X{x) ^ S] for the 
proposition environment defined by 

^[Xix) ^ S]iXiy)) = {{C, r,') | (C, 77) e 5 A i{y) = ti{x)} 
^[Xix) ^ = TTiYiy)) for Y^X. 

Lemma 11. Let £ be a pes, let ip G >Cp be a formula, and let x — fv{ip) be the tuple of free 
variables in ip. 

1. If{C,ri) G {l"^!}^ andrj'{y) = r]{x) pointwise, then {C,ri') G {|i^[y/a;][[^. 

2. For any if; it holds {\^j[ip / X]\y^ = Mi[x{^)^{\v\K] 

Proof. Both items can be proved by a routine induction (on ip for 1 and on ip for 2). □ 

In particular, from 1 above it follows that, as for C, the semantics only depends on the events 
that the environment associates to the free variables of the formula, i.e., if C G C{£) and 77, 77' are 
environments such that rj^^ = r]'^^ then {C,rf) G {|<y5|}^ iff {C,rf) G {|<<5|}^. 

Definition 18 (semantics). Let £ be a pes. The denotation of a formula is given by the function 

{\-\y : Cf, PEnv£ ^ 2'^(^)^'^™*^ 
defined inductively as follows, where we write {\ip\\^ instead of {\ipW^ (tt) : 

{|T|}^ = C{£) X Env£ 

{hip\n^ip{ip)\mi 

{\{x,y <az)ip\^^ = {(C,77) | ((7,7?) G lp{{x,y <a,z)ip) and 

3e G E[C] such that 
A(e) = a A ri{x) < e A r]{y)\\e 
A (C,r;[z.^e])G{|^|}^ } 

m ^|}^ {(C,7y) \C ^ C A (C',7y) G {M'. } 
{|X(a;)|}^=^(X(a;)) 

Wl^Xix).^\^^^ = Ifpif) 

where lfp{f) is the least fixed point of the function f : 2'^'"^'^^'^ — !> 2'''('^('^)) that maps S C 
lp{X{x)) into 

fiS) - 

When {C,rf) G {|<^|}^ we say that the PES £ satisfies the formula ip in the configuration C 
and environments rj, tt and write £, C \=n,TT f- For closed formulae ip, we write £ \= ip, when 
1=0,0 'P- 

It can be easily proved that Lemma [1] extends to i.e., for any formula ip G C^, its denotation 
only contains legal pairs, that is C lp^[ip). Note also that the semantics of recursive formulae 

is well-given. In fact, ■k[X{x) !—> 5] is a well-defined proposition environment, since S C lp[X{x)). 
Moreover f{S) = {['■P^^^x{as)^s] — ^Pi"^) the previous observation, and lp{X{x)) = lp{ip) since 
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fv{Lp) — X hy definition of the syntax of C^. Therefore, correctly, f{S) C lp{X{x)). Moreover, the 
least fixed point of / exists by Knaster-Tarski theorem since the set 2^p^'^^^'>^ ordered by subset 
inclusion is a complete lattice and the function / used in the definition is monotone. This can be 
easily checked by inspection of the definition of the semantics (Definition I18|). keeping in mind 
that X(x) is required to occur positively in tp. 

As for the non-recursive fragment /3, the logic £^ could be defined in positive form. The 
corresponding syntax, given below, includes the dual operators and omits negation, which can 
then be encoded by duality. 

LP ::= X{x) \ T \ (p Aip \ {x,y<az)ip \ {z) ip \ nX{x).ip 

F I ipVp I {x,y<az}p \ [z](p\ vX{x).Lp 

In the following we will freely use the dual operators. 

6.1 Examples 

In the previous section we observed that standard HM logic can be viewed as a fragment of C where 
we only use the (derived) modality \3x\j. Similarly, the propositional /z-calculus corresponds to a 
fragment of the the general logic £^ where we avoid references to causally dependent /independent 
events. In particular, since in recursive formulae we do not express causal links between event 
(variables) used in different iterations, we can use only propositions without free variables (i.e., of 
arity 0). Therefore, the //-calculus corresponds to the following fragment of C^: 

ip X(e) \ J \ ip h ip \ ^ip \ {x,y<az)(p \ (z) (p \ liX{€).Lp 

For simplicity in the following we omit trailing empty tuples of variables, writing X instead of 

As first examples of £^ formulae we thus have some basic safety and liveness properties inher- 
ited from the /i-calculus. For a fixed closed formula ip, representing a property of interest: 

— Ip holds in every reachable state 
Inv{ip)=vX. {ip Al_zjX); 

— tjj eventually holds in some state 
Posi^) = ^iX. i^V (l.z\fX); 

— there is a complete (finite terminated or infinite) computation where V' always holds 
Safeiij) = i^X. (V A ([.zlF V (\-x\iX)); 

— in every complete computation eventually ip holds 
Evi^) = ^lX. (VV(^_z^TAl.xlX)). 

When moving to the full logic, property -0 can include concurrency and causal features. In 
case ip is not closed, denoted by x the tuple of free variables in ■0, in order to respect the syntax 
any occurrence of X above must be replaced by X{x). Then we can consider Ev{l\a z\) ® <]az'^) 
saying that eventually there will be a concurrent step consisting of two events, labelled a and b, 
respectively, or Inv{i\r z\)Ev{(\z < sz'\)) saying that any r-labelled event will be eventually followed 
by a s-labelled event caused by it (e.g., any request will be eventually served). 

More generally, logic allows one to express causal and concurrency properties of infinite 
computation, where events occurring in different fixpoint iterations arc possibly related. We next 
provide a number of further examples. 

— There is a causal chain of b-labelled events reaching a state where a can be fired: 

^ayKV /lbxHf^X{x).{/lazny1x<by^X{y})) 

— There is an executable a-labelled event such that in every configuration reached by executing 
events which are concurrent with it, a c-labelled event can be executed: 

(a x)i{x) T A iyX{x).ii\c z^T A [x < .yj X{x))) 
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— It is always possible to perforin a step consisting of two concurrent events labelled by a and 
b, after executing any number of events labelled c: 

uX. {{(\^z\®\bz'\)J ^{cw\X) 

— There is a finite sequence of (not necessarily related) steps consisting of two events labelled 
by a and b, respectively, and finally a c-labelled event: 

^iX^cz\Jy{(\^z\®(\bz'\)x) 

6.2 Invar iance of logical equivalence 

We show that the addition of fixpoints formulae does not alter the logical equivalence, that still 
coincides with hhp-bisimilarity, i.e., =£ = =£^ =^hhp- (Recall that in the paper we are limiting 
ourselves to image-finite PESs.) For this aim we introduce an infinitary version of the logic C^, 
which can be exploited to define fixpoint approximants (see, e.g., [BS06j). 

Let us denote by an extension of £^ with infinite conjunctions, i.e., formulae of are 
defined by the grammar 

(p X{x) I T | A»e/ <P» I I ix,y<az)cp \ (z) ip \ ^iX{x).Lp 

The semantics of is defined as in Definition [TSl replacing the clause for conjunction with 

{lAie/ 'y'iG'x — riiG/fl'''*!}^^- denote by C°° the fragment of not including propositions and 
fixpoint operators. 

Definition 19 (approximants). The a-th approximant of a fixpoint formula in Cj^ , for an 

ordinal a, is a formula in C°° , inductively defined as follows: 

^°X{x).ip = F 

^°'+^X{x).ip = tp[fi'^X{x).(p/X] 

li^X{x).if = Vq<a t-f°^X{x).'p for A a limit ordinal 

A fixpoint formula yi,X{x).Lp is intuitively equivalent to the (infinite) disjunction of its approx- 
imants. More formally: 

Lemma 12 (fixpoint unfolding via approximants). Let £ he a PES. For any formula fiX{x).(p 
in C°° there exists an ordinal a such that 

{\^lX{x).^^^, = {\^i^x{x).^^i. 

Proof Recall that {[^iX{x).ip'^l = lfp{f) where / : 2'p(^(^)) ^ 2'p(-^(==)) is the function defined 

by/(^) = {|^|}f[x(.)^s]- 

We already noted that the function / is monotone in 2'^'^'^'^^') ordered by subset inclusion. 
Hence its least fixpoint can be obtained by iterating / on 0, the bottom element of the lattice, 
i.e., there exists an ordinal a such that lfp{f) = /"(0), where /"(0) = 0, f°'+^{%) = /(/"(0)) and 
/^(0) = Ua<A/"(0) foi' ^ a limit ordinal. 

The observation that for any ordinal a it holds that /"(0) = {|/x"X(a;).i^|}^ allows us to 
conclude. The latter can be proved by transfinite induction on a. 

(a = 0) {|/X(a;).^|}^ = {|F|}^ =0^/0(0) 

(a — s> q; + I) We have that 

{\^,'^+^x{x)M]i = 
= M^i"x{x).^/x]\}i = 

= {I'/^[|"^[X(x)>^{1ai°X(x).v|} ] 

= f{{\^i^x{x).^^,) = 
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[dcf. of ^"+^X{x).if\ 
[Lemma [TT] 
= [def. of /] 

[inductive hypothesis] 



(A limit ordinal) We have 
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We can finally prove that the logical equivalences induced by L and are the same and they 
both coincide with '^hhp- 

Corollary 1 (invariance of logical equivalence). The logical equivalences of C and Cf^ coin- 
cide with ^hhp ■ 

Proof. First of all, since extends C, clearly =c^ implies =£ which in turn, by Proposition [1] 
implies ^hhp- Hence =c implies ^hhp- For the opposite direction, note that Proposition [2] can 
be straightforwardly adapted to logic C°° (as finiteness of conjunction plays no role in the proof). 
Hence ^hhp implies =£oo. An inductive argument, using Lemma 1121 allows one to show that for 
any closed formula in (and thus in particular any formula in C^,), there exists an equivalent 
formula in C°° , obtained by replacing all fixpoint operators with suitable approximants. Therefore 
=£oo implies =£^, hence ^hhp implies =£^ as desired. □ 

7 Conclusions: related and future work 

We have introduced a logic for true concurrency, which allows to predicate on events in computation 
and their mutual dependencies (causality and concurrency). The logic subsumes standard HM logic 
and provides a characterisation of the most widely known true concurrent behavioural equivalences: 
hhp-bisimilarity is the logical equivalence induced by the full logic, and suitable fragments are 
identified which induce hp-bisimilarity, pomset and step bisimilarity. 

As we mentioned in the introduction, there is a vast literature relating logical and operational 
views of true concurrency, however, to the best of our knowledge, a uniform logical counterpart of 
the true concurrent spectrum was still missing. An exhaustive account of the related literature is 
impossible; we just recall here the approaches that most closely relate to our work. 

In }DNF90|PLS94|Che92j the causal structure of concurrent systems is pushed into the logic. 
The paper |DNF90| considers modalities which describe pomset transitions, thus providing an 
immediate characterisation of pomset bisimilarity. Moreover, |DNF90IPLS94IChe92] show that 
by tracing the history of states and adding the possibility of reverting pomset transitions, one 
obtains an equivalence coarser than hp-bisimilarity and incomparable with pomset bisimilarity, 
called weak hp-bisimilarity. Our logic intends to be more general by also capturing the interplay 
between concurrency and branching, which is not observable at the level of hp-bisimilarity. 

A recent work jGB09|Gut09| introduces a fixpoint modal logic for true concurrent models, 
called Separation Fixpoint Logics (SFL). This includes modalities which specify the execution 
of an action causally dependent /independent on the last executed one. Moreover, a "separation 
operator" deals with concurrently enabled actions. The approach of |GB09|Gut09] is inspired by 
the so-called Independence- Friendly Modal Logic (IFML) (BF02| . which includes a modality that 
allows to specify that the current executed action is independent from a number of previously 
executed ones. In this sense IFML is similar in spirit to our logic. The equivalences induced by 
fragments of IFML are not standard in the true concurrent spectrum. (The fragment of the logic 
without the separation operator captures an equivalence referred to as hp-bisimilarity, but which 
actually is a weakening of it (FrolOj . For similar reasons, the full logic induces an equivalence which 
is weaker than hhp-bisimilarity, and incomparable with hp-bisimilarity). Still a deeper comparison 
with this approach represents an interesting open issue. 
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Several classical papers have considered temporal logics with modalities corresponding to the 
"retraction" or "backward" execution of computations. In particular |NC95IBed91IHS85] study 
a so-called path logic with a future perfect (also called past tense) modality: @a is true when 
ip holds in a state which can reach the current one with an a-transition. When interpreted over 
transition systems with independence, in absence of autoconcurrency, the logic characterises hhp- 
bisimilarity. In |NC95] it is shown that, taking autoconcurrency into account, the result can be 
extended at the price of complicating the logic (roughly, the logic needs an operator to undo a 
specific action performed in the past). 

Compared to these works, the main novelty of our approach resides in the fact that the logic C 
provides a characterisation of the different equivalences in a simple, unitary logical framework. In 
order to enforce this view, we intend to pursue a formal comparison with the logics for concurrency 
introduced in the literature. It is easy to see that the execution modalities of [GB09IGut09] can 
be encoded in C since they only refer to the last executed event, while the formulae in C can refer 
to any event executed in the past. On the other hand, the "separation operator" of |GB09|Gut09] . 
as well as the backward modalities mentioned above (past tense, future perfect, reverting pomset 
transitions) are not immediately encodable in C A deeper investigation would be of great help 
in shading further light on the truly concurrent spectrum. Moreover C suggests an alternative, 
forward-only, operational definition of hhp-bisimulation, which could be inspiring also for other 
reverse bisimulations [PUlOj . 

Interestingly, the idea of considering a logic with event variables is taken also in a very recent 
work [PUll] . which provides an elegant characterisation of (h)hp-bisimilarity via a logic, called 
Event Identifier Logic (EIL), with backward execution modality. The logic includes three operators: 
(x:a)), (a;:a) and {{x). The formula {x:d))ip holds when an a-labelled event can be executed and 
then tp holds. The formula {x:^)tf holds in if the current state (configuration) there is an a-labelled 
event and then ip holds. In both cases, the event is bound to variable x for future references. 
Finally, {{x) holds when the event bound to x can be undone and then holds. The reason why 
both logics capture hhp-bisimilarity is conceptually clear: the possibility of performing backward 
steps can be seen as a mean of exploring alternative different futures. The very same possibility 
is "primitive" in our logic where we can explore the future of a configuration, without executing 
the corresponding events. However, the formal relationships between EIL and our logic (e.g., the 
possibility of encoding backward steps in our logic) is still to be understood and represents a 
stimulating direction of future research. 

As a byproduct of such an investigation, we foresee the identification of interesting extensions 
of the concurrent spectrum, both at the logical and at the operational side. For instance, it can 
be shown that the fragment of C where the operator {x,y < a z) is restricted to bind z to 
events consistent with the those already quantified induces an equivalence which admits a natural 
operational definition, is still decidable and lies in between hp- and hhp-bisimilarity, still being 
different from the equivalences in [GB09IGut09) . 

Connected to this, mo del- checking and decidability issues are challenging directions of future 
investigation (see |Pen95) for a survey of these issues over partial order temporal logics and logics 
based on event structures having explicit operators representing concurrency, causality and conflict. 
It is known that hhp-bisimilarity is undecidable, even for finite state systems |JNS03j . while hp- 
bisimilarity is decidable. Characterising decidable fragments of the logic could be helpful in drawing 
a clearer separation line between decidability and undecidability of concurrent equivalences. A 
promising direction is to impose a bound on the "causal depth" of the future which the logic 
can quantify on. In this way one gets a chain of equivalences, coarser than hhp-bisimilarity, which 
should be closely related with n-hhp bisimilarities introduced and shown to be decidable in jFH99j . 
As for verification, we aim at investigating the automata-theoretic counterpart of the logic. In 
previous papers, hp-bisimilarity has been characterised in automata-theoretic terms using HD- 
automata |MP97j or Petri nets |Vog91[ . It seems that HD-automata [MP 97] could provide a 
suitable automata counterpart of the fragment Chp. Also the game-theoretical approach proposed 
in |GB09|Gut09| for the fixpoint separation logic can be a source of inspiration. 

Just note that the model checking problem is not trivial since a formula can have only infinite 
models, even if we limit ourselves to the finite fragment. For instance, the formula (|awDT A 
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^(a x)^{x < a y)T only holds in an PES which contains an infinite causal chain of a-labcUcd event. 
Preliminary investigations lead us to conjecture model-checking to be decidable on finite state 
systems for the fixpoint extension of Chp, Cp and £s- 
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